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(57) A system includes a general synchronization 
module at the client site for operating within a first fire- 
wall and for examining first version information to deter- 
mine whether a first workspace element has been mod- 
ified. The system further includes a synchronization 
agent at a global server for operating outside the first 
firewall and for forwarding to the general synchroniza- 
tion module second version information which indicates 
whether an independently-modifiable copy of the first 
workspace element has been modified. A synchroniza- 
tion-start module is maintained at the client site for op- 
erating within the first firewall and for securely initiating 
the general synchronization module and the synchroni- 
zation agent when predetermined criteria have been 
satisfied. The system further includes means for gener- 
ating a preferred version from the first workspace ele- 
ment and from the copy by comparing the first version 
information and the second version information, and 
means for storing the preferred version at the first store 
and at the second store. 
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Description 

BACKGROUND OF THE INVENTION 

[0001] This invention relates generally to computer 
networks, and more particularly to a system and method 
for securely synchronizing multiple copies of a work- 
space element such as a file in a secure network. 
[0002] Data consistency is a significant concern for 
computer users. For example, when maintaining multi- 
ple independently-modifiable copies of a document, a 
user risks using an outdated version. Further, by the 
time the user notices the inconsistency, interparty mis- 
communication or data loss may have resulted. The us- 
er must then spend more time attempting to reconcile 
the inconsistent versions. 

[0003] The problem of data inconsistency is exacer- 
bated when multiple copies of a document are main- 
tained at different network locations. For example, due 
to network security systems such as conventional fire- 
wall technology, a user may have access only to a par- 
ticular one of these network locations. Without access 
to the other sites, the user cannot confirm that the ver- 
sion on the accessible site is the most recent draft. 
[0004] Therefore, a system and method are needed 
for providing users with data consistency, and more par- 
ticularly for synchronizing multiple copies of a work- 
space element such as a document in the secure net- 
work environment. 

[0005] Particular and preferred aspects of the inven- 
tion are set out in the accompanying independent and 
dependent claims. Features of the dependent claims 
may be combined with those of the independent claims 
as appropriate and in combinations other than those ex- 
plicitly set out in the claims. 

SUMMARY OF THE INVENTION 

[0006] An embodiment of the invention provides a 
system and method for synchronizing multiple copies of 
a workspace element in a secure network environment. 
The secure network environment includes a global serv- 
er connected to multiple clients. Using the present sys- 
tem and method, the clients automatically synchronize 
workspace data between multiple sites, independent of 
whether the sites are protected by site firewalls. 
[0007] The present system includes a general syn- 
chronization module at the client site for operating within 
a first firewall and for examining first version information 
to determine whether a first workspace element has 
been modified. The system further includes a synchro- 
nization agent at the global server for operating outside 
the first firewall and for forwarding to the general syn- 
chronization module second version information which 
indicates whether an independently-modifiable copy of 
the first workspace element has been modified. A syn- 
chronization-start module at the client site operates 
within the first firewall and initiates the general synchro- 
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nization module and the synchronization agent when 
predetermined criteria have been satisfied. The system 
further includes means for generating a preferred ver- 
sion from the first workspace element and from the copy 

s by comparing the first version information and the sec- 
ond version information, and means for storing the pre- 
ferred version at the first store and at the second store. 
[0008] The system further handles the case when 
both the workspace element and the copy have been 

10 modified independently since the last date and time of 
synchronization. Accordingly, a content-based synchro- 
nization module performs a responsive action such as 
determined a preferred version or storing both the first 
workspace element and the copy at both the first store 

'5 and at the second store. 

[0009] The present method includes the steps of gen- 
erating first examination results by examining first ver- 
sion information, which indicates whether a first work- 
space element stored at a first store within a firewall has 

20 been modified; and generating second examination re- 
sults by examining second version information which in- 
dicates whether an independently-modifiable copy of 
the first workspace element, the copy being stored at a 
second store outside the firewall, has been modified. 

25 The present method further includes the steps of initiat- 
ing synchronization from within the firewall when prede- 
termined criteria have been satisfied; generating a pre- 
ferred version from the first workspace element and 
from the copy based on the first and second examination 

30 results; and storing the preferred version at the first store 
and at the second store. 

[0010] The system and method advantageously use 
a trusted third party to enable the synchronization of 
workspace data among multiple sites. Accordingly, a di- 
ss ent user who maintains a work site, a home site, an off- 
site and the global server site can synchronize the work- 
space data or portions thereof among all four sites. Fur- 
ther, the predetermined criteria (which controls when the 
synchronization-start module initiates synchronization) 
40 may be set so that the general synchronization module 
synchronizes the workspace data upon user request, at 
predetermined times during the day such as while the 
user is commuting, or after a predetermined user action 
such as user log-off or user log-on. Because the system 
45 and method operate over the Internet, synchronization 
can occur over any distance. Since synchronization is 
initiated from within the firewall, the typical firewall, 
which prevents in-bound communications, does not act 
as an impediment to workspace data synchronization. 
50 Also, since the user's preferences may be previously 
set, the present system and method may operate unat- 
tended by the client user. 

BRIEF DESCRIPTION OF THE DRAWINGS 

55 

[0011] Exemplary embodiments of the invention are 
described hereinafter, by way of example only, with ref- 
erence to the accompanying drawings, in which: 
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FIG. 1 is a block diagram illustrating a secure data- 
synchronizing network in accordance with the 
present invention; 

FIG. 2 is a block diagram illustrating details of a FIG. 
1 service server; 

FIG. 3 is a block diagram illustrating details of the 
FIG. 1 desktop computer; 

FIG. 4 is a block diagram illustrating details of the 
FIG. 3 base system; 

FIG. 5 is a block diagram illustrating details of the 
FIG. 1 synchronization agent; and 
FIG. 6 is a flowchart illustrating a method for syn- 
chronizing multiple copies of a workspace element 
in a secure network. 

DETAILED DESCRIPTION 

[0012] FIG. 1 is a block diagram illustrating a secure 
data-synchronizing network 100, comprising a first site 
such as a remote computer terminal 105 coupled via a 
communications channel 110 such as the Internet to a 
global server 120. The global server 120 is in turn cou- 
pled via a communications channel 125 such as the In- 
ternet to a second site such as a corporate Local Area 
Network (LAN) 135. The global server 120 is protected 
by a global firewall 115, and the corporate LAN 135 is 
protected by a corporate firewall 130. 
[0013] The corporate LAN 135 includes a corporate 
signal bus 1 40 coupling the corporate firewall 1 30 to an 
e-mail server 145 having e-mail data 165, to a file server 
1 50 having file data 1 70, to a calendar server 155 having 
calendar data 175 and to a desktop computer 160 hav- 
ing user data 180. It will be appreciated that Ihe e-mail 
data 165, file data 170, calendar data 175 and user data 
180 or portions thereof may be stored at different loca- 
tions such as locally on the desktop computer 160. It will 
be further appreciated that the e-mail data 1 65, file data 
1 70, calendar data 1 75 and user data 1 80 are exempla- 
ry and collectively referred to herein as "workspace da- 
ta" 1 85. Those skilled in the art will recognize that "work- 
space data" may include other types of data such as 
application programs. It will be further appreciated that 
the e-mail data 1 65, file data 1 70, calendar data 1 75 and 
user data 180 may each be divided into workspace el- 
ements, wherein each workspace element is identified 
by particular version information 255 (described below 
with reference to FIG. 2). Accordingly, each e-mail, file, 
calendar, etc. may be referred to as "a workspace ele- 
ment in workspace data." 

[0014] An independently modifiable copy of the work- 
space data 185, referred to herein as workspace data 
1 23, is stored on the global server 1 20 for easy access 
by a user from the remote terminal 105. Being a copy, 
the workspace data 123 includes independently modifi- 
able copies of each workspace element in workspace 
data 185 and an independently modifiable copy of ver- 
sion information 255 (FIG. 2), referred to herein as ver- 
sion information 124. 
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[0015] Network 100 further comprises synchroniza- 
tion means, which includes a base system 1 90 stored 
within the corporate LAN 135 and for example on the 
desktop computer 160 and further includes a synchro- 

s nization agent 1 26 stored outside the corporate firewall 
130 and preferably on the global server 120. The base 
system 1 90 and the synchronization agent 126 cooper- 
ate to synchronize the workspace data 185 with the 
workspace data 123. Generally, the base system 190 

10 manages the workspace data 185 within the corporate 
LAN 135 and the synchronization agent 126 manages 
the workspace data 1 23 within the global server 1 20. As 
described in greater detail below with reference to FIG. 
4, the base system 190 preferably initiates and controls 

is data synchronization. 

[0016] The remote terminal 105 may include a smart 
telephone or a Personal Data Assistant (PDA) such as 
the PalmPilot system by the U.S. Robotics, Inc. Al- 
though not shown, the remote terminal 105 may include 

20 a second base system similar to the base system 1 90, 
which is described with greater detail with reference to 
FIG. 4. Accordingly, the second base system on the re- 
mote terminal 105 would cooperate with the synchroni- 
zation agent 126 to synchronize the workspace data 

25 stored on the remote terminal 105 with the workspace 
data 123 stored on the global server 120. As with the 
corporate LAN, the second base system on the remote 
terminal 105 would preferably initiate and control data 
synchronization with the global server 1 20 for the same 

30 reasons discussed below. Workspace data on the re- 
mote terminal 105 would thus be synchronized with the 
workspace data 123 and with the workspace data 185. 
[0017] FIG. 2 is a block diagram illustrating details of 
a service server 200, wherein each of the e-mail server 

35 145, the file server 1 50, the calendar server 1 55 and the 
desktop computer 160 is an instance thereof. Service 
server 200 includes a Central Processing Unit (CPU) 
205 such as a Motorola Power PC® microprocessor or 
an Intel Pentium® microprocessor. An input device 210 

40 such as a keyboard and mouse and an output device 
21 5 such as a Cathode Ray Tube (CRT) display are cou- 
pled via a signal bus 220 to CPU 205. A communications 
interface 225 (such as an Ethernet port), a data storage 
device 230 (such as read only memory or a magnetic 

45 disk), and Random-Access Memory (RAM) 235 are fur- 
ther coupled via signal bus 220 to the CPU 205. 
[0018] An operating system 240 includes a program 
for controlling processing by the CPU 205, and is typi- 
cally stored in the data storage device 230 and loaded 

50 into the RAM 235 for execution. A service engine 245 
includes a program for performing a particular service 
such as maintaining an e-mail data base, a calendar da- 
ta base, a bookmarks data base or another file data 
base, and may be also stored in the data storage device 

55 230 and loaded into the RAM 235 for execution. To per- 
form a service, the service engine 245 operates on serv- 
ice data 250 (e.g., the e-mail data 165, the file data 170, 
the calendar data 175 or the user data 180), which is 



EP 0 986 225 A1 



3 



5 

typically stored in the data storage device 250. The serv- 
ice data 250 includes version information 255 indicating 
the date and time of the last modification. The service 
engine 245 operates to update the version information 
255 whenever modifications are made. It will be appre- 
ciated that the portion of memory in the data storage 
device 250 which contains the service data 250 is re- 
ferred to as the service "store." 

[0019] FIG. 3 is a block diagram illustrating details of 
the desktop computer 160, which includes a CPU 305, 
an input device 310, an output device 315, a communi- 
cations interface 325, a data storage device 330 and 
RAM 335, each coupled to a signal bus 320. 
[0020] An operating system 340 includes a program 
for controlling processing by the CPU 305, and is typi- 
cally stored in the data storage device 330 and loaded 
into the RAM 335 for execution. A desktop service en- 
gine 345 (i.e., a particular service engine 245, FIG. 2) 
includes a service program for managing user data 1 80 
(i.e., particular service data 250, FIG. 2) which includes 
version information 350 (i.e., particular version informa- 
tion 255, FIG. 2). The desktop service engine 345 may 
be also stored in th e data storage device 330 and loaded 
into the RAM 335 for execution. The user data 180 may 
be stored in the data storage device 330. As stated 
above with reference to FIG. 1, the base system 190 
operates to synchronize the workspace data 185 (which 
includes user data 180) with the workspace data 123. 
The base system 190 may be also stored in the data 
storage device 330 and loaded into the RAM 335 for ex- 
ecution. 

[0021] FIG. 4 is a block diagram illustrating details of 
the base system 1 90, which includes a communications 
module 405, a user interface module 41 0, a locator mod- 
ule 415, a synchronization-start ("synch-start") module 
420, a general synchronization module 425 and a con- 
tent-based synchronization module 430. For simplicity, 
each module is illustrated as communicating with one 
another via a signal bus 440. 

[0022] The communications module 405 includes 
routines for compressing data, and routines for commu- 
nicating via the communications interface 325 (FIG. 3) 
with the synchronization agent 126 (FIG. 1). The com- 
munications module 405 may further include routines for 
applying Secure Socket Layer (SSL) technology and us- 
er identification and authentication techniques (i.e., dig- 
ital certificates) to establish a secure communication 
channel through the corporate firewall 1 30 and through 
the global firewall 126. Examples of communications 
modules 405 may include TCP/IP stacks or the Apple- 
Talk® protocol. 

[0023] The user interface 410 includes routines for 
communicating with a user, and may include a conven- 
tional Graphical User Interface (GUI). The user interface 
410 operates in coordination with the other desktop 
computer 160 components as described herein. 
[0024] The locator module 415 includes routines for 
identifying the memory locations of the workspace ele- 
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ments in the workspace data 1 85 and the memory loca- 
tions of the workspace elements in the workspace data 
123. Workspace element memory location identification 
may be implemented using intelligent software, i.e., pre- 

s set memory addresses or the system's registry, or using 
dialogue boxes to query a user. Accordingly, the locator 
module 415 determines the memory addresses of the 
workspace elements in the e-mail data 165, the work- 
space elements in the file data 170, the workspace ele- 

10 ments in the calendar data 1 75 and the workspace ele- 
ments in the user data 180 as well as the memory ad- 
dresses of the corresponding workspace elements in 
the workspace data 123. It will be appreciated that the 
locator module 415 may perform workspace element 

J5 memory location identification upon system boot-up or 
after each communication with the global server 120 to 
maintain updated memory locations of workspace ele- 
ments. 

[0025] The synchronization-start module 420 in- 
20 eludes routines for determining when to initiate synchro- 
nization of workspace data 123 and workspace data 
185. For example, the synchronization-start module 420 
may initiate data synchronization upon user request, at 
a particular time of day, after a predetermined time pe- 
25 riod passes, after a predetermined number of changes, 
after a user action such as user log-off or upon like cri- 
teria. The synchronization-start module 420 initiates da- 
ta synchronization by instructing the general synchroni- 
zation module 425 to begin execution of its routines. It 
30 will be appreciated that communications with synchro- 
nization agent 1 26 preferably initiate from within the cor- 
porate LAN 1135, because the typical corporate firewall 
1 30 prevents in-bound communications and allows out- 
bound communications. 
35 [0026] The general synchronization module 425 in- 
cludes routines for requesting version information 124 
from the synchronization agent 126 (FIG. 1) and rou- 
tines for comparing the version information 255 against 
a last synchronization signature 435 such as a last syn- 
40 chronization date and time to determine which versions 
have been modified. The general synchronization mod- 
ule 425 further includes routines for comparing the ver- 
sion information 124 and the version information 255 to 
determine if only one or both versions of a particular 
45 workspace element have been modified and routines for 
performing an appropriate synchronizing responsive ac- 
tion. Appropriate synchronizing responsive actions may 
include forwarding the modified version (as the pre- 
ferred version) of a workspace element in workspace 
so data 185 or forwarding just a compilation of the changes 
to the other store(s). Other appropriate synchronizing 
responsive actions may include, if reconciliation be- 
tween two modified versions is needed, then instructing 
the content-based synchronization module 430 to exe- 
55 cute its routines which are described below. 

[0027] It will be appreciated that the synchronization 
agent 126 preferably examines the version information 
124 and forwards only the version information 124 de- 
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termined to be modified since the last synchronization 
signature 435. This technique makes efficient use of 
processor power and avoids transferring unnecessary 
data across the communications channel 125. The gen- 
eral synchronization module 425 in the corporate LAN 
1 35 accordingly compares the received version infor- 
mation 124 with the version information 255 to deter- 
mine if reconciliation is needed. Upon completion of the 
data synchronization, the general synchronization mod- 
ule 425 updates the last synchronization signature 435. 
[0028] The content-based synchronization module 
430 includes routines for reconciling two or more mod- 
ified versions in workspace data 123, 185 of the same 
workspace element. For example, if the original and the 
copy of a user workspace element have both been mod- 
ified independently since the last synchronization, the 
content-based synchronization module 430 determines 
the appropriate responsive action. The content-based 
synchronization module 430 may request a user to se- 
lect the preferred one of the modified versions or may 
respond based on preset preferences, i.e., by storing 
both versions in both stores or by integrating the chang- 
es into a single preferred version which replaces each 
modified version at both stores. 
[0029] FIG. 5 is a block diagram illustrating details of 
the synchronization agent 126, which includes a com- 
munications module 505 (similar to the communications 
module 405 described above with reference to FIG. 4) 
and a general synchronization module 510 (similar to 
the general synchronization module 425 described 
above also with reference to FIG. 4). The communica- 
tions module 505 includes routines for compressing da- 
ta, and routines for communicating via the communica- 
tions channel 125 with the base system 1 90. The com- 
munications module 505 may further include routines for 
establishing a secure communications channel through 
the global firewall 1 26 and through the corporate firewall 
130. 

[0030] The general synchronization module 510 in- 
cludes routines for comparing the version information 
124 with the last synchronization signature 435, and 
routines for forwarding to the general synchronization 
module 425 version information 124 determined to be 
modified. The general synchronization module 510 may 
either maintain its own last synchronization signature 
435 copy (not shown). Alternatively, the request to syn- 
chronize from the base system 1 90 may include a copy 
of the last synchronization signature 435. The general 
synchronization module 510 further includes routines 
for receiving preferred versions of workspace data 185 
workspace elements from the general synchronization 
module 425, and routines for forwarding preferred ver- 
sions of workspace data 1 23 workspace elements to the 
general synchronization module 425. 
[0031] FIG. 6 is a flowchart illustrating a method 600 
for synchronizing multiple copies of workspace data 
123, 185 in a secure network 100. Method 600 begins 
with locator module 41 5 in step 605 identifying the mem- 



ory locations of the workspace elements in workspace 
data 123, 185. As stated above, workspace element 
memory location identification may be implemented us- 
ing intelligent software or dialogue boxes. The user in- 
s terface module 41 0 in step 610 enables selection of the 
workspace elements in workspace data 123, 185 to be 
synchronized by the general synchronization module 
425. 

[0032] The synchronization-start module 420 in step 
10 615 determines whether predetermined criteria have 
been met which indicate that synchronization of the 
workspace elements selected in step 610 should start. 
If not, then method 600 loops back to step 615. Other- 
wise, the communications module 405 and communica- 
'5 tions module 505 in step 617 establish a secure com- 
munications channel between the global server 1 20 and 
the desktop computer 1 60. The general synchronization 
module 510 in step 620 compares the version informa- 
tion 124 of each of the selected workspace elements in 
20 workspace data 123 against the last synchronization 
signature 435 to determine modified workspace ele- 
ments, and forwards the version information 124 of 
workspace elements determined to be modified to the 
general synchronization module 425. Further, the gen- 
25 eral synchronization module 425 in step 620 compares 
the version information 255 of each selected workspace 
element in the workspace data 1 85 against the last syn- 
chronization signature 435 to locate modified work- 
space elements. In this embodiment, a workspace ele- 
30 ment has been modified if the date and time of last mod- 
ification is after the date and time of last synchronization. 

[0033] If no modified workspace elements in work- 
space data 123 or in workspace data 185 are located, 
35 then the general synchronization modules 425 and 510 
in step 650 update the last synchronization signature 
435 and method 600 ends. Otherwise, the general syn- 
chronization module 425 in step 625 determines wheth- 
er more than one version of the same workspace ele- 
40 ment has been modified since the last synchronization. 
[0034] If only one version has been modified, then the 
corresponding general synchronization module 425 or 
510 in step 630 forwards the updated preferred version 
of the workspace element to the other store, and then 
45 in step 635 determines whether all workspace elements 
selected in step 610 have been examined. If so, then 
method 600 jumps to step 650. Otherwise, then method 
600 returns to step 620. 

[0035] If more than one version has been modified, 
50 then the general synchronization module 425 in step 
640 instructs the content-based synchronization mod- 
ule 430 to reconcile the modified versions. Reconcilia- 
tion may include requesting instructions from the user 
or, based on preselected preferences, performing re- 
55 sponsive actions such as storing both versions at both 
stores. 

[0036] General synchronization module 425, 510 in 
step 645 sends the preferred version of the workspace 
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element or just a compilation of the changes to the other 
store. That is, if the preferred version is a workspace 
element in the workspace data 185, then general syn- 
chronization module 425 sends the preferred version or 
the changes to general synchronization module 510 to 
update the outdated workspace element in the work- 
space data 123. If the preferred version is a workspace 
element in the workspace data 123, then the general 
synchronization module 510 sends the preferred ver- 
sion or the changes to the general synchronization mod- 
ule 425 to update the outdated workspace element in 
the workspace data 1 85. Method 600 then jumps to step 
635. 

[0037] The foregoing description of the preferred em- 
bodiments of the invention is by way of example only, 
and other variations of the above-described embodi- 
ments and methods are provided by the present inven- 
tion. For example, although the global server 120 is il- 
lustrated as a single device, the global server 120 may 
include several computers networked together. Al- 
though not described in great detail, the remote terminal 
105 can synchronize copies of workspace elements 
stored on it with workspace elements of workspace data 
1 23 stored on the global server 1 20. Components of this 
invention may be implemented using a programmed 
general purpose digital computer, using application spe- 
cific integrated circuits, or using a network of intercon- 
nected conventional components and circuits. The em- 
bodiments described herein have been presented for 
purposes of illustration and are not intended to be ex- 
haustive or limiting. Many variations and modifications 
are possible in light of the foregoing teaching. 



Claims 

1 . A computer-based method comprising the steps of: 

(a) generating first examination results from 
first version information which indicates wheth- 
er a first workspace element stored at a first 
store within a firewall has been modified; 

(b) generating second examination results from 
second version information which indicates 
whether an independently-modifiable copy of 
the first workspace element has been modified, 
the copy being stored at a second store outside 
the firewall; 

(c) initiating steps (a) and (b) from within the 
firewall when predetermined criteria have been 
satisfied; 

(d) generating a preferred version from the first 
workspace element and from the copy based 
on the first and second examination results; 
and 

(e) storing the preferred version at the first store 
and at the second store. 
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2. The method of claim 1 wherein the second store is 
on a global server outside the firewall and which is 
protected by a global firewall. 

s 3. The method of claim 1 or claim 2 wherein the first 
version information includes the date and time the 
first workspace element was last modified and the 
second version information includes the date and 
time the copy was last modified. 

4. The method of claim 3 wherein generating the first 
examination results includes the step of comparing 
the first version information against a date and time 
of last synchronization. 

is 

5. The method of claim 3 or claim 4 wherein generat- 
ing the second examination results includes the 
step of comparing the second version information 
against a date and time of last synchronization. 

20 

6. The method of any preceding claim further compris- 
ing, before generating the first examination results, 
the step of updating the first version information 
whenever the first workspace element is modified. 

25 

7. The method of any preceding claim further compris- 
ing, before generating the second examination re- 
sults, the step of updating the second version infor- 
mation whenever the copy is modified. 

8. The method of any preceding claim wherein if only 
one of the first workspace element and the copy has 
been modified, then the step o( generating includes 
selecting the one as the preferred version. 

35 

9. The method of any preceding claim further compris- 
ing the step of locating the first workspace element, 
the first version information, the copy and the sec- 
ond version information. 

40 

10. A system comprising: 

a general synchronization module for operating 
within a first firewall and for examining first ver- 

45 sion information to determine whether a first 

workspace element has been modified; 
a synchronization agent for operating outside 
the first firewall and for forwarding to the gen- 
eral synchronization module second version in- 

so formation which indicates whether an inde- 

pendently-modifiable copy of the first work- 
space element has been modified; 
a synchronization-start module for operating 
within the first firewall and for initiating the gen- 

55 eral synchronization module and the synchro- 

nization agent when predetermined criteria 
have been satisfied; 

means for generating a preferred version from 
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the first workspace element and from the copy 
by comparing the first version information and 
the second version information; and 
means for storing the preferred version at the 
first store and at the second store. 

11. The system of claim 10 further comprising a com- 
munications module for communicating through the 
first firewall. 

12. The system of claim 10or claim 11 wherein the syn- 
chronization agent and the second store are on a 
global server which is protected by a global firewall. 

13. The system of claim 12 further comprising a com- 
munications module for communicating through the 
first firewall and through the global firewall. 

14. The system of any one of claims 10 to 13 wherein 
the first version information includes the date and 
time the first workspace element was last modified 
and the second version information includes the 
date and time the copy was last modified. 

15. The system of claim 14 wherein the general syn- 
chronization module compares the first version in- 
formation against a date and time of last synchro- 
nization. 

16. The system of claim 1 4 or claim 1 5 wherein the syn- 
chronization agent compares the second version in- 
formation against the date and time of last synchro- 
nization. 

17. The system of any one of claims 10 to 16 further 
comprising means for updating the first version in- 
formation whenever the first workspace element is 
modified. 

18. The system of any one of claims 10 to 17 further 
comprising means for updating the second version 
information whenever the copy is modified. 

19. The system of any one of claims 10 to 18 wherein 
if only one of the first workspace element and the 
copy has been modified, then the means for gener- 
ating selects the one as the preferred version. 

20. The system of any one of claims 10 to 19 further 
comprising a locator module for locating the first 
store, the first workspace element, the first version 
information, the second store, the copy and the sec- 
ond version information. 

21. A system comprising: 

first means for generating first examination re- 
sults from first version information which indi- 
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cates whether a first workspace element stored 
at a first store within a firewall has been modi- 
fied; 

second means for generating second examina- 
s tion results from second version information 

which indicates whether an independently- 
modifiable copy of the first workspace element 
has been modified, the copy being stored at a 
second store outside the firewall; 
10 means for initiating the first and second means 

from within the firewall when predetermined cri- 
teria have been satisfied; 
means for generating a preferred version from 
the first workspace element and from the copy 
J5 based on the first and second examination re- 

sults; and 

means for storing the preferred version at the 
first store and at the second store. 

20 22. A computer-readable storage medium storing pro- 
gram code for causing a computer to perform the 
steps of: 

(a) generating first examination results from 
2S first version information which indicates wheth- 
er a first workspace element stored at a first 
store within a firewall has been modified; 

(b) generating second examination results from 
second version information which indicates 

30 whether an independently-modifiable copy of 

the first workspace element has been modified, 
the copy being stored at a second store outside 
the firewall; 

(c) initiating steps (a) and (b) from within the 
35 firewall when predetermined criteria have been 

satisfied; 

(d) generating a preferred version from the first 
workspace element and from the copy based 
on the first and second examination results; 

40 and 

(e) storing the preferred version at the first store 
and at the second store. 

23. A computer-based method comprising the steps of: 

45 

(a) generating first examination results from 
first version information which indicates wheth- 
er a first workspace element stored at a first 
store within a firewall has been modified; 

so (b) generating second examination results from 

second version information which indicates 
whether an independently-modifiable copy of 
the first workspace element has been modified, 
the copy being stored at a second store outside 

55 the firewall; 

(c) initiating steps (a) and (b) from within the 
firewall when predetermined criteria have been 
satisfied; 
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(d) determining based on the first and second tween the global server and the remote cli- 
examination results that both the first work- ent. 

space element and the copy have been modi- 
fied; and 

(e) storing both the first workspace element and s 
the copy at the first store and at the second 
store. 

24. A system comprising: 

10 

first means for generating first examination re- 
sults from first version information which indi- 
cates whether a first workspace element stored 
at a first store within a firewall has been modi- 
fied; is 
second means for generating second examina- 
tion results from second version information 
which indicates whether an independently- 
modifiable copy of the first workspace element 
has been modified, the copy being stored at a 20 
second store outside the firewall; 
means for initiating the first and second means 
from within the firewall when predetermined cri- 
teria have been satisfied; 

means for determining based on the first and 25 
second examination results that both the first 
workspace element and the copy have been 
modified; and 

means for storing both the first file and the copy 

at the first store and at the second store. 30 

25. A system comprising: 

a global server for operating outside a firewall 
and including 35 

memory for storing first workspace data 
and corresponding first version informa- 
tion; and 

a synchronization agent for managing the 40 
first workspace data and the correspond- 
ing first version information and for com- 
municating with remote clients; and 

a remote client for operating within the firewall 45 
and including 

memory for storing second workspace da- 
ta and corresponding second version infor- 
mation; so 
means for cooperating with the synchroni- 
zation agent to synchronize the first work- 
space data with the second workspace da- 
ta by examining the first version informa- 
tion and the second version information; 55 
and 

a synchronization-start module for initiat- 
ing workspace data synchronization be- 
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